b'Audit Report\n\n\n\n\nOIG-07-029\nManagement Letter for the Fiscal Year 2006 Audit of the\nDepartment of the Treasury\xe2\x80\x99s Financial Statements\n\n\nFebruary 9, 2007\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                             February 9, 2007\n\n\n            MEMORANDUM FOR RICHARD HOLCOMB\n                           ACTING CHIEF FINANCIAL OFFICER\n\n                                  WES FOSTER\n                                  ACTING ASSISTANT SECRETARY FOR MANAGEMENT\n\n            FROM:                 Joel A. Grover\n                                  Deputy Assistant Inspector General\n                                    for Financial Management and Information\n                                    Technology Audits\n\n            SUBJECT:              Management Letter for the Fiscal Year 2006 Audit of the\n                                  Department of the Treasury\xe2\x80\x99s Financial Statements\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Department of the Treasury\xe2\x80\x99s (Department) fiscal year (FY) 2006\n            financial statements. Under a contract monitored by the Office of Inspector\n            General, KPMG LLP, an independent certified public accounting firm, performed the\n            audit of the Department\xe2\x80\x99s FY 2006 financial statements. The contract required that\n            the audit be performed in accordance with generally accepted government auditing\n            standards, Office of Management and Budget Bulletin No. 06-03, Audit\n            Requirements for Federal Financial Statements, and the GAO/PCIE Financial Audit\n            Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses certain matters involving internal control over\n            financial reporting and its operation that were identified during the audit which\n            were not required to be included in the audit report.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\x0cPage 2\n\nShould you have any questions, please contact me at (202) 927-5400, or a\nmember of your staff may contact Mike Fitzgerald, Director, Financial Audits at\n(202) 927-5789.\n\nAttachment\n\ncc:   Harold Damelin\n      Inspector General\n\n      Marla A. Freedman\n      Assistant Inspector General For Audit\n\x0cDEPARTMENT OF THE TREASURY \n\n      FISCAL YEAR 2006 \n\n    Management Letter Report \n\n\n       November 13, 2006 \n\n\x0c                            DEPARTMENT OF THE TREASURY\n                                        Fiscal Year 2006\n                                     Management Letter Report\n\n\n\n                                        Table of Contents\n\n                                                                                  Page\n\nTransmittal Letter                                                                   3\n\n       06-01: Succession Planning (Repeat Comment)                                   5\n      06-02: Financial Reporting Standards for Treasury\xe2\x80\x99s Component Entities\n             (Repeat Comment)                                                        8\n      06-03: The Exchange Stabilization Fund\xe2\x80\x99s Budgetary Accounting\n             Methodology (Repeat Comment)                                           10\n       06-04: Financial Reporting Practices at the Departmental Level               12\n      06-05: OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal\n             Control                                                                15\n      06-06: Intragovernmental Transactions and Activities                          20\n      06-07: Performance Measures                                                   21\n      06-08: Deferred Maintenance                                                   22\n      06-09: Backup Tapes for the Treasury Information Executive Repository\n             (TIER) System and CFO Vision Production Servers (Repeat\n             Comment)                                                               23\n      06-10: Continuity of Operations Plan and Disaster Recovery Procedures for\n             TIER and CFO Vision (Repeat Comment)                                   24\n      06-11: Segregation of Duties                                                  26\n      06-12: User Account Passwords                                                 28\n      06-13: User Accounts                                                          29\nExhibit 1 \xe2\x80\x93 Status of Prior Year Management Letter Comments                         32\n\n\n\n\n                                                2\n\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nInspector General\nU.S. Department of the Treasury\nWashington D.C.\n\n\nNovember 13, 2006\n\n\nWe have audited the consolidated financial statements of the U.S. Department of the Treasury\n(Department) for the year ended September 30, 2006, and we have issued our report thereon dated\nNovember 13, 2006. Our report indicated that we did not audit the amounts included in the\nconsolidated financial statements related to the Internal Revenue Service (IRS), a component entity\nof the Department. The financial statements of the IRS were audited by another auditor whose\nreport has been provided to us.\nIn planning and performing our audit of the consolidated financial statements of the Department, we\nconsidered the Department\xe2\x80\x99s internal control as a basis for designing our auditing procedures for the\npurpose of expressing our opinion on the financial statements but not for the purpose of expressing\nan opinion on the effectiveness of the Department\xe2\x80\x99s internal control. Accordingly, we do not\nexpress an opinion on the effectiveness of the Department\xe2\x80\x99s internal control.\nDuring our fiscal year (FY) 2006 audit of the Department\xe2\x80\x99s consolidated financial statements, we\nand the other auditor noted certain matters involving internal control and other operational matters\nthat we considered to be reportable conditions under standards established by the American Institute\nof Certified Public Accountants (AICPA). Reportable conditions are matters coming to our attention\nrelating to significant deficiencies in the design or operation of internal control that, in our\njudgment, could adversely affect the Department\xe2\x80\x99s ability to record, process, summarize, and report\nfinancial data consistent with the assertions of management in the consolidated financial statements.\nMaterial weaknesses are reportable conditions in which the design or operation of one or more of\nthe internal control components does not reduce to a relatively low level the risk that misstatements\ncaused by error or fraud, in amounts that would be material in relation to the consolidated financial\nstatements being audited, may occur and not be detected within a timely period by employees in the\nnormal course of performing their assigned functions. Because of inherent limitations in internal\ncontrol, misstatements, due to error or fraud, may nevertheless occur and not be detected.\nOur consideration of internal control would not necessarily disclose all matters in internal control\nthat might be reportable conditions. In our Independent Auditors\xe2\x80\x99 Report dated November 13, 2006,\nwe reported the following matters involving internal control and its operation that we and the other\nauditor considered to be reportable conditions:\n\xe2\x80\xa2\t Financial Management Practices at the IRS (Repeat Condition);\n\xe2\x80\xa2\t Electronic Data Processing (EDP) Controls and Information Security Programs Over Financial\n   Systems (Repeat Condition); and\n\xe2\x80\xa2\t Controls Over Transactions and Balances Related to the International Assistance Programs.\n\n\n\n\n                                KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                                a member of KPMG International, a Swiss cooperative.\n\x0cThe reportable condition related to the financial management practices at the IRS noted above is\nconsidered to be a material weakness. Detailed findings and recommendations to address the above\nreportable conditions are not repeated within this document.\nOur audit procedures were designed primarily to enable us to form an opinion, based on our audit\nand the report of the other auditor, on the Department\xe2\x80\x99s consolidated financial statements and,\ntherefore, may not bring to light all weaknesses in policies or procedures that may exist. We aim,\nhowever, to use our knowledge of the Department\xe2\x80\x99s organization gained during our work to make\ncomments and suggestions that we hope are useful.\nAlthough not considered reportable conditions, we noted certain matters involving internal control\nand other operational matters that are presented in the attachment for your consideration. These\ncomments and recommendations, all of which have been discussed with the appropriate members of\nthe Department management, are intended to improve the Department\xe2\x80\x99s internal control or result in\nother operating efficiencies. The matters presented in this letter do not include any internal control\nor operational matters that may have been presented to the management of the Department\xe2\x80\x99s\noperating bureaus that were separately audited by other auditors.\nWe reviewed all eleven of the prior year management letter comments and determined the status of\ncorrective actions for each. Of the eleven findings:\n\n\xe2\x80\xa2   Five were corrected;\n\xe2\x80\xa2   One was partially corrected; and\n\xe2\x80\xa2   Five were not corrected.\nExhibit 1 provides the status of the eleven recommendations included in our management letter\narising from the FY 05 audit. We have not considered the Department\xe2\x80\x99s internal control since the\ndate of our report.\nWe appreciate the courteous and professional assistance that Department personnel extended to us\nduring our audit. We would be pleased to discuss these comments and recommendations with you at\nany time.\nThe Department\xe2\x80\x99s written response to our comments and recommendations has not been subjected\nto the auditing procedures applied in the audit of the consolidated financial statements and,\naccordingly, we express no opinion on it.\nThis communication is intended solely for the information and use of the management of the\nDepartment, Department\xe2\x80\x99s Office of Inspector General (OIG), Office of Management and Budget,\nGovernment Accountability Office, and Congress, and is not intended to be and should not be used\nby anyone other than these specified parties.\n\n\n\n\nNovember 13, 2006\n\n\n\n\n                                                  4\n\n\x0c                         FISCAL YEAR 2006 RECOMMENDATIONS\n\n\n06-01: Succession Planning (Repeat Comment)\n\nIn our fiscal year (FY) 2005 audit, we reported that several key personnel having significant\ninstitutional knowledge of the Department\xe2\x80\x99s accounting and reporting processes within various\nDepartmental offices were at or near retirement eligibility status. Furthermore, we noted no policies\nor procedures related to succession planning, or staff being trained to succeed these individuals. In\nFY 06, we noted that some improvements had been made, but significant succession planning\nactivities still remained to be conducted to prevent serious loss of operational and institutional\nknowledge in the event of unexpected absences or retirement by key officials. Details related to\nsome of the Departmental offices we observed as needing immediate succession planning actions\nfollow.\n\nThe Office of Accounting and Internal Control (AIC) is responsible for Treasury-wide financial\naccounting and reporting matters, such as preparation of the consolidated financial statements and\nnotes for the Department, and provides financial policy guidance to the bureaus and offices of the\nDepartment. AIC deals directly in broad matters of domestic and international finance, financial\nmarkets, Federal, State, and local finance (including the Federal debt), Federal Government credit\npolicies, and lending and privatization. AIC has experienced senior staff critical to carrying out its\nfinancial management mission. These individuals, whom we customarily deal with during the\nconsolidated audit, have significant institutional knowledge and will soon be eligible for retirement.\n\nDuring FY 06, we noted that within AIC, two experienced new staff joined during FY 06 (one in\nthe accounting branch, and one in the internal control branch), two contractors had been used to\nassist with various year-end consolidated financial statement activities, and various standard\noperating procedures had been documented for guidance purposes. Although these activities reflect\nmanagement\xe2\x80\x99s commitment to take corrective action, these activities will not significantly improve\nAIC\xe2\x80\x99s capability to continue with mission-critical activities if a key AIC staff member is\nunexpectedly unavailable to perform his/her duties. For example, during the FY 06 interim audit\nwork conducted during July and August 2006, significant delays were experienced in receiving\nrequested audit documentation and/or explanations to audit-related questions due to the unexpected\nabsence of one key AIC staff member, and leave taken by another key AIC staff member causing\nsignificant interim audit completion delays since these individuals were critical in terms of support\nfor the audit.\n\nThe Office of Performance Budgeting (OPB) is responsible for the Department\xe2\x80\x99s budget execution\nand for financial management of the Department\xe2\x80\x99s International Assistance program, among other\nduties. OPB is a small office with employees with budget formulation and execution\nresponsibilities. Two key officials with significant institutional knowledge and skills, whom we\ncustomarily deal with to resolve Treasury budgetary-related matters, are also eligible for immediate\nretirement. We are not aware of and did not observe any staff being trained to perform their duties\nunder the supervision of OPB senior staff.\n\n\n\n\n                                                  5\n\n\x0cFurther, we are not aware of any plans by the Department to provide additional staff to perform the\nkey duties within AIC and OPB as part of succession planning. Succession planning is a\ngovernment-wide issue that the Government Accountability Office (GAO) has identified as\nrequiring attention by top government officials. In addition to the lack of trained staff to take over\nsuch positions, AIC and OPB still do not have a complete set of standard operating procedures that\nwould help new staff understand how to perform their duties should the need arise.\n\nThe Office of Personnel Management (OPM) issues regulations related to personnel management\nfor the Federal government. GAO has issued several reports citing the need for succession planning\nby the government in order to address workforce challenges. In an April 21, 2005, testimony1\nbefore the Senate Subcommittee on Oversight of Government Management, the Federal Workforce,\nand the District of Columbia, GAO stated:\n\n           A key piece of an agency\xe2\x80\x99s strategic human capital plan should also\n           acknowledge the demographic trends that the agency faces with its workforce,\n           especially pending retirements, and include succession strategies and training\n           and development programs to ensure that it will have the knowledge, skills, and\n           abilities it needs to meet its mission\xe2\x80\xa6\n\n           Training and developing new and current staff to fill new roles and work in\n           different ways will transform how agencies do business and engage employees\n           in further innovation and improvements.\n\nAIC and OPB have not been able to hire the staff necessary, nor have they been able to train other\nTreasury staff to assume their responsibilities, due in part to budget constraints. This is the second\nyear that succession planning has been identified as a recommendation. In the event of the\nretirement or sudden prolonged absence of one or more of these individuals, Treasury would face a\nserious loss of operational and institutional knowledge absent any adequate, formalized succession\nplan, resulting in serious financial management deficiencies.\n\nIn conclusion, we continue to have significant concerns that the amount of resources (training,\ntools, and staff) available to implement successful succession planning is lacking. Department\nsupport for succession planning and actions to prepare for the future are needed now, given the long\nlead times needed to ensure the knowledge and skills of key staff are transferred effectively. We\nacknowledge that at a time of budget constraints and deadlines that Departmental offices must\nmeet, it is difficult to request additional staff or to train other staff to assume additional\nresponsibilities. However, the day-to-day constraints should not be allowed to deter the Department\nfrom the advance planning and preparation needed to ensure that its offices will be able to perform\ntheir responsibilities effectively in the absence of key senior staff members. Any further delays in\n\n\n1\n  U.S. Government Accountability Office, Human Capital: Agencies Need Leadership and the Supporting Infrastructure\nto Take Advantage of New Flexibilities, GAO-05-616T, April 21, 2005.\n\n\n\n\n                                                        6\n\n\x0cthis process will impact the Department\xe2\x80\x99s future ability to manage financial accounting and\nreporting activities.\n\n06-01 Recommendations\n\nWe recommend that the Acting Assistant Secretary for Management (ASM), Acting Chief Financial\nOfficer (CFO), and Deputy Assistant Secretary for Human Resources and Chief Human Capital\nOfficer, with input from the Directors of AIC and OPB, as well as other offices, as appropriate:\n\n1.\t Consider what actions can be taken now, without additional staff, to ensure that if a key staff\n    member is unexpectedly unavailable to perform his/her duties, that the offices\xe2\x80\x99 mission will be\n    met with minimal disruption, and document these as necessary.\n\n2.\t Clearly define the roles and responsibilities, organizational structure of AIC and OPB, and\n    critical success factors that are necessary to manage the financial reporting activities needed to\n    support the Department-wide financial management practices.\n\n3.\t Perform a human capital needs assessment, with particular focus on AIC and OPB management\n    skills needed to perform the daily operations of AIC and OPB. The assessment should be\n    conducted either internally or by an independent specialist, and should identify the additional\n    managerial skill sets, e.g., financial accounting background, knowledge, and expertise, required\n    to strengthen the financial accounting and reporting infrastructure, and, once strengthened, to\n    effectively manage the processes necessary to be conducted throughout the year.\n\n4.\t Once the human capital needs are assessed (per recommendation 3 above), hire staff, or\n    consider transferring suitable staff from other offices within Treasury to meet these immediate\n    needs.\n\nManagement Response\n\nThe Deputy CFO will work with the Office of Human Resources to address a long term solution.\nThe budget constraints for fiscal years 2007 and 2008, and probably future years, will significantly\nlimit the resources available for additional staffing in a number of critical functions. To address the\nimmediate needs of training and developing current staff, the Department is placing top priority on\ndocumenting standard operating procedures and preparing an information handbook for critical\nfunctions. We will define specific roles and responsibilities and assign a backup for each critical\nfunction. In addition, we will implement cross-training among current staff for these critical\nfunctions. We will also explore using detailees from other offices to provide some back-up\nexpertise.\n\nAdditionally, during FY 2006 we performed an assessment of existing staff core competencies and\ntailored each staff\xe2\x80\x99s Individual Development Plans to address any areas needing improvement. We\ndeveloped comprehensive listings of core competencies for each job series within DCFO, utilizing\n\n\n\n\n                                                  7\n\n\x0ccore competency materials from the Department of Defense, the Joint Financial Management\nImprovement Program, the Office of Personnel Management, and our own internal knowledge of\nrequired competencies. Each employee rated his or her knowledge of each competency, and their\nsupervisors independently performed the same rating. Employees and supervisors then met to\nidentify and discuss any differences in ratings and determine competencies that the employee needs\nto enhance. Employees and their supervisors then developed Individual Development Plans tailored\nto specifically address the targeted core competencies, increase special competencies, and provide\nfor overall professional development. Training to address targeted core competencies will receive\nfirst priority in the DCFO\xe2\x80\x99s training budget.\n\n06-02: Financial Reporting Standards for Treasury\xe2\x80\x99s Component Entities (Repeat Comment)\nThe Department\xe2\x80\x99s consolidated financial statements are prepared in conformity with accounting\nprinciples prescribed by the Federal Accounting Standards Advisory Board (FASAB), the\naccounting standards-setting body for the Federal Government, as recognized by the AICPA in\nOctober 1999. However, certain Department component entities prepare their financial statements\nin accordance with accounting standards prescribed by the Financial Accounting Standards Board\n(FASB), the private sector standards-setting body, since the FASAB has allowed entities that issued\nfinancial statements prior to October 1999 using FASB accounting to do so. These entities include\nthe Bureau of Engraving and Printing (BEP), the Office of Thrift Supervision (OTS), the Exchange\nStabilization Fund (ESF), the Federal Financing Bank (FFB), and the Community Development\nFinancial Institutions Fund (CDFI).\n\nThe use of a combination of generally accepted accounting principles (GAAP) by the Department\nand its component entities complicates the preparation of the Department\xe2\x80\x99s consolidated financial\nstatements since additional information required for Federal GAAP reporting must be developed,\nmapped and submitted to the Department\xe2\x80\x99s data warehouse by component entities, and reviewed for\ncompliance with Federal GAAP and overall reasonableness by Department accounting\nmanagement.\n\nPrivate sector GAAP does not contemplate budgetary reporting and therefore components using this\nbasis of accounting do not prepare Statements of Budgetary Resources (SBR) or Financing,\nalthough these statements are an integral part of the Department\xe2\x80\x99s consolidated financial statements,\nand must be prepared regardless of whether the component receives appropriations from the U.S.\nGovernment or not. Moreover, information reported in the Department\xe2\x80\x99s SBR must be reconciled to\nenacted amounts in the President\xe2\x80\x99s Budget and disclosed in the notes to the Department\xe2\x80\x99s\nconsolidated financial statements.\n\nAdditionally, private sector GAAP does not provide sufficient information regarding the costs of\nprograms and activities. The Statement of Net Cost required by Federal GAAP requires that costs\nand offsetting earned revenues be presented by responsibility segments, with net costs identified for\neach of the segments, in order to provide more meaningful information to evaluate the operating\nresults of major activities.\n\n\n\n\n                                                 8\n\n\x0cFurther, inconsistencies exist in how certain costs are reported by entities using private sector\nGAAP. For example, Federal GAAP requires that non-reimbursed costs paid by the Office of\nPersonnel Management for retirement plans be recognized by the receiving entity as an imputed\ncost in order to report the full cost of operations. Since private sector GAAP does not provide\nguidance for the reporting of such imputed costs, these costs are being reported inconsistently, or\nnot at all, by the Department\xe2\x80\x99s component entities.\n\nThis matter has been reported since FY 04, and has not been resolved to date. Some progress has\nbeen made in that two components have converted from commercial to Federal GAAP reporting,\nand the Department has requested the Financial Accounting Standards Advisory Board (FASAB) to\naddress this situation. The continued use of private sector GAAP by certain Department component\nentities decreases the usefulness of information reported by these entities for users of Federal\nfinancial statements. In order to strengthen and standardize financial accounting and reporting\nthroughout the Department, all component entities should be required to prepare their financial\nstatements in accordance with Federal GAAP, unless statutorily required to report on a different\nbasis of accounting.\n\n06-02 Recommendations\n\nWe recommend that the Department research and determine whether component reporting entities\nreporting on a basis other than Federal GAAP are required to do so by statute. We further\nrecommend that the Department continue to work with the affected Treasury bureaus to achieve\nconformance in FY 07, so that all such reporting entities within the Department prepare their\nfinancial statements in accordance with Federal GAAP, unless statutorily required to report in\naccordance with a different basis of accounting.\n\nManagement Response\n\nThe Department requires that all bureaus/reporting entities comply with the United States Standard\nGeneral Ledger (USSGL), which is used for Federal sector GAAP.              The USSGL balances\ntransmitted by the bureaus to the Department\xe2\x80\x99s centralized database are appropriately mapped to\nreflect transactions on a Federal GAAP basis in the Department\xe2\x80\x99s consolidated financial statements.\nNo errors resulting from conversion from private sector GAAP to Federal GAAP were noted in the\nDepartment\xe2\x80\x99s FY 2006 and FY 2005 consolidated financial statements.\n\nIn April 2004, the OIG requested that FASAB consider requiring Federal GAAP for the general\npurpose financial statements of Federal entities, unless there is a statutory or regulatory requirement\nto report on a different basis. FASAB has included this issue as one of the four potential projects\nidentified in the Invitation to Comment \xe2\x80\x93 Technical Agenda Options document dated July 22, 2005.\nTreasury and the OIG provided comments to FASAB, and ranked the Appropriate Source for\nGAAP project as the second highest priority project next to the Federal Entity project.\n\n\n\n\n                                                  9\n\n\x0cIn discussing this matter with component entities, one of the problems that surfaced was their belief\nthat the audiences for their financial statements are used to commercial-type financial statements\nand would not understand statements prepared following FASAB/OMB standards. The question of\nthe usefulness of the component level statements needs to be addressed and resolved.\n\nTreasury will work with the FASAB and the Office of Inspector General in addressing this issue,\nand will continue to work with the affected bureaus in FY 2007 to achieve greater conformance.\n\n06-03: The Exchange Stabilization Fund\xe2\x80\x99s Budgetary Accounting Methodology (Repeat\nComment)\n\nThe Exchange Stabilization Fund (ESF or Fund) maintains a transaction-based accounting system\nfor the federal proprietary Standard General Ledger (SGL) accounts, but does not have a\ntransaction-based budgetary accounting system. Some of the ESF budgetary data reported in TIER,\nthe Department\xe2\x80\x99s repository accounting system is misclassified or inaccurate, but has been left in\nTIER to force a fit with budgetary accounting definitions. For example, undelivered orders, SGL\naccount 4801, has been reported in ESF\xe2\x80\x99s Trial Balance in TIER as $14.1 billion since 2000.\nHowever, the ESF does not report any undelivered orders in its SBR nor does it have any\ntransactions that meet the Office of Management and Budget\xe2\x80\x99s (OMB) definition of undelivered\norders. As a result, ESF\xe2\x80\x99s SBR is prepared manually outside of TIER, and outside of CFO Vision,\nthe Department\xe2\x80\x99s financial reporting system that converts TIER data into its financial statements.\n\nESF\xe2\x80\x99s reporting to the OMB for purposes of the President\xe2\x80\x99s Budget is also inconsistent with ESF\xe2\x80\x99s\naudited financial reporting data and requires reconciliation each year. The President\xe2\x80\x99s Budget\nincludes actual obligations and outlays inconsistent with the audited ESF SBR for the reporting\nyear. For example, outlays reported in the President\xe2\x80\x99s Budget do not contain valuation gains and\nlosses on foreign currency, whereas the Department prepared SBR for ESF includes such amounts\nin outlays. As a result, the Department\xe2\x80\x99s budgetary financial data for ESF submitted to FACTS II\nfor government-wide reporting purposes is inconsistent with its SBR, Statement of Financing,\nTIER, and with the information provided to OMB for the President\xe2\x80\x99s Budget. In addition, the lack\nof written, approved operating procedures for ESF has resulted in inconsistencies from year to year\nin the methodology used in the translation of the ESF proprietary accounts to budgetary accounts.\n\nOMB Circular No. A-11, Part IV requires nonappropriated funds, such as the ESF (as well as\nappropriated funds) to be included in an agency\xe2\x80\x99s combined SBR. It also requires the SBR to be\nbased on budget terminology, definitions, and guidance. In addition, OMB Circular No. A-127,\nSection 7a, requires Federal financial management systems to \xe2\x80\x9c\xe2\x80\xa6 ensure consistent information is\ncollected for similar transactions throughout the agency, \xe2\x80\xa6and ensure consistent information is\nreadily available and provided to internal managers at all levels within the organization.\xe2\x80\x9d Section\n7c states further, \xe2\x80\x9cReports produced by the systems that provide financial information, whether used\n\n\n\n\n                                                 10 \n\n\x0cinternally or externally, shall provide financial data that can be traced directly to the SGL accounts.\xe2\x80\x9d\nIn addition, GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government2 states:\n\n           Internal control and all transactions and other significant events need to be\n           clearly documented, and the documentation should be readily available for\n           examination. The documentation should appear in management directives,\n           administrative policies, or operating manuals and may be in paper or\n           electronic form.\xe2\x80\x9d\n\nThe Department has complied with OMB and other requirements by adopting unique budgetary\napplications for ESF data, and in FY 06 requested OMB to review and agree with the Department\xe2\x80\x99s\nbudgetary reporting adaptations that require major reconciliations with the President\xe2\x80\x99s Budget, with\nTIER, and with FMS FACTS II requirements for the Fund. OMB and FMS provided a solution in\nFY 06 to resolve the requirement to report FBWT to meet FACTS II edits but has not yet reviewed\nand agreed to the Department\xe2\x80\x99s budgetary reporting adaptations. No approved model of budgetary\ntransactions exists for ESF that would ensure that consistent budgetary and proprietary data is\nreadily available that can be traced directly to the SGL accounts.\n\nIn response to prior year recommendations to request a waiver from OMB from the requirement to\nprovide Statements of Budgetary Resources and Financing for ESF, AIC prepared a draft waiver\nrequest in 2005 which was submitted to OMB and the Financial Management Service (FMS). No\nwaivers have been granted as yet, and the AIC is still in the process of communicating with OMB\nand FMS on this matter.\n\n06-03 Recommendations\n\nWe recommend that the Acting CFO, with input from the Director of AIC, as appropriate:\n\n1.\t Prepare written operating procedures with accompanying rationale as to why the proprietary\n    accounts chosen approximate budgetary definitions.\n\n2.\t Request approval from OMB for the definitions the Department uses to translate ESF\n    proprietary accounts to budgetary line items to prepare Statements of Budgetary Resources and\n    Financing, recognizing that standard federal budgetary definitions do not apply to the ESF\xe2\x80\x99s\n    investment portfolio fund.\n\n3.\t Explore with OMB alternative ways of providing meaningful, accurate, and consistent data on\n    ESF in the President\xe2\x80\x99s Budget and how the information should be reported in the government-\n    wide financial statements.\n\n\n\n2\n U.S. Government Accountability Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00\n21.3.1, November, 1999.\n\n\n\n\n                                                      11 \n\n\x0cManagement Response\n\nThe Department agrees with the auditor\xe2\x80\x99s recommendations and will continue to work with OMB to\nobtain specific guidance on providing more meaningful budgetary and FBWT reporting for ESF.\nThe Department will also prepare written operating procedures fully explaining the rationale\nsupporting those procedures, and update the procedures as necessary based on any reporting\nimprovements agreed to by OMB and the Department.\n\n06-04: Financial Reporting Practices at the Department Level\n\nFinancial reporting processes and procedures at the Departmental level need improvement to enable\nthe timely preparation and issuance of the Department\xe2\x80\x99s consolidated financial statements and the\nannual Performance and Accountability Report (PAR), and to ensure proper financial management.\n\nAIC is responsible for establishing and maintaining financial policies that guide consolidated\nfinancial reporting throughout the Department, implementing internal controls to ensure the overall\nintegrity of financial data, and preparing periodic consolidated financial statements. The\nDepartment\xe2\x80\x99s Office of Strategic Planning and Performance Management (SPPM) within the Office\nof Management and Budget, and the Office of Accounting and Internal Control (AIC) within the\nOffice of the Deputy Chief Financial Officer, are jointly responsible for the preparation of the PAR.\nUnder the current financial reporting structure, AIC prepares consolidated financial statements,\nincluding footnote and supplementary data, from trial balances and other financial data submitted\nby the components to AIC through the TIER system. AIC is dependent on the Treasury components\nfor complete, accurate, and timely submission of monthly financial data. SPPM manages the\ncompletion of the performance sections of the PAR in conjunction with input from Treasury\ncomponents. SPPM and AIC work jointly together to produce the complete PAR. Certain quality\ncontrol procedures are conducted by both AIC and SPPM to ensure that component financial,\nperformance, and other data is accurate and complete for inclusion in the consolidated financial\nstatements/PAR; however, several quality control deficiencies and other issues were noted during\nthe FY 06 audit as follows:\n\n\xe2\x80\xa2\t The Department prepared its first interim consolidated financial statements (to include footnote\n   and supplementary data) in FY 06 based on financial data for the nine months ended June 30.\n   These interim consolidated financial statements were prepared to allow for an early start on\n   interim audit reviews due to significant changes in accounting and reporting requirements\n   occurring in FY 06. However, preliminary reviews of these interim consolidated financial\n   statements revealed errors, inconsistencies, inadequate or incomplete footnote disclosures, and\n   lacked supporting documentation for certain footnote disclosures and required supplementary\n   data. Preparation of interim consolidated financial statements reflected a good start by AIC\n   management to begin an early review of the consolidated financial statements, but reflected\n   inadequate quality control procedures. As a result, unnecessary audit time was spent on\n   reviewing the interim consolidated financial statements as well as on the audit of various\n   June 30 account balances. Consequently, some routine audit test work procedures typically\n\n\n\n\n                                                 12 \n\n\x0c   performed on interim consolidated financial statements were delayed until year-end, and\n   extensive time was spent at year end by both AIC officials and the audit team to ensure that the\n   consolidated financial statements conformed to new FY 06 accounting and reporting\n   requirements.\n\n\xe2\x80\xa2\t The following are examples of the significant non-routine accounting and reporting matters that\n   had not been completed or addressed timely by AIC:\n   - The Department did not finalize its preparation of the detailed footnote disclosure required\n       under Statement of Federal Financial Accounting Standard (SFFAS) No. 27, Identifying\n       and Reporting Earmarked Funds, for FY 06 reporting until late October;\n\n   -   After meeting with all responsible parties to discuss the effects on the financial statements\n       and footnotes, the Department accepted accounting and reporting changes resulting in a\n       reclassification of certain cash and cash equivalents account balances to investments that\n       had been approved by OMB as part of the ongoing effort to address unique ESF reporting\n       issues. However, a subsequent review by the audit team of the approved accounting and\n       reporting changes, and upon agreement with responsible parties, led to the conclusion that\n       the reclassification should in fact not have been made, mainly because the reclassification\n       did not meet the criteria for change from cash and cash equivalents to that of an investment;\n       and\n\n   -   Various accounting and reporting requirements stipulated by OMB Circular A-136,\n       Financial Reporting Requirements, applicable to FY 06 had not been addressed and\n       included until the final draft of the year-end consolidated financial statements. For example,\n       changes to footnote disclosure requirements related to the Department\xe2\x80\x99s Reconciliation to\n       the President\xe2\x80\x99s Budget to include a reconciliation of Obligations Incurred had not been\n       addressed until it was identified as a requirement during the audit.\n\n\xe2\x80\xa2\t Adequate reviews were not performed on documentation provided to support audit requests. For\n   example, the initial documentation provided to support the Department\xe2\x80\x99s Reconciliation to the\n   President\xe2\x80\x99s Budget (PB) did not fully support the reconciling amounts reported in the PB\n   reconciliation even though the documentation had been reviewed by AIC officials prior to\n   submission to auditors. Although differences identified were fully explained and supported, the\n   initial supporting documentation provided was not comprehensive enough to eliminate the level\n   of discussions needed to understand the Department\xe2\x80\x99s unique budget transactions and how they\n   contribute to the PB reconciliation.\n\n\xe2\x80\xa2\t Year end variance analysis explanations provided in some instances were vague and were not\n   properly reviewed and/or followed up. Consequently, significant time was spent by the audit\n   team in discussions with component audit teams as well as component management to clearly\n   establish the rationale for the variances identified as necessary. Although the Department\n   requires components to provide variance explanations on a quarterly basis, the explanations\n   provided at year end are not adequately reviewed or explanations followed up in a timely\n   manner.\n\n\n\n\n                                                13 \n\n\x0c\xe2\x80\xa2\t Procedures followed by responsible AIC officials in the accounting and reporting of various\n   unique transactions, such as the reporting of the U.S. Mint\xe2\x80\x99s Seigniorage in the Department\xe2\x80\x99s\n   consolidated financial statements, were not fully documented.\n\n\xe2\x80\xa2\t The year-end consolidated financial statements as well as certain PAR sections reflected a lack\n   of adequate review by responsible officials within AIC and SPPM prior to submission to the\n   auditors. Further, comments provided by the auditor and OIG on the initial consolidated\n   financial statements and draft PAR were not reviewed by a responsible official within AIC or\n   SPPM prior to submission of the revised consolidated financial statements and drafts of the FY\n   06 PAR for audit review, causing the same errors to be identified repeatedly. In addition, later\n   versions of the FY 06 PAR continued to contain various errors that had previously been\n   corrected due to version control problems.\nThe consolidated financial statements issues identified above occurred mainly due to the fact that\nexisting AIC senior staff had excessive work-loads. Therefore, insufficient time was available to be\ndevoted to supervisory reviews and other financial management activities. This situation resulted in\nsubstantial reliance being placed on the annual audit process to identify errors and omissions in the\nconsolidated financial statements and PAR.\nThe Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA) requires that agencies establish\ninternal controls according to standards prescribed by the Comptroller General and specified in the\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government (Standards). The GAO defines\n\xe2\x80\x9cinternal control\xe2\x80\x9d as an integral component of an organization\xe2\x80\x99s management that provides\nreasonable assurance that the following objectives are achieved: effectiveness and efficiency of\noperations, reliability of financial reporting, and compliance with applicable laws and regulations.\nThe GAO Standards identify the control environment as one of the five key elements of control,\nwhich emphasizes the importance of control conscientiousness in management\xe2\x80\x99s operating\nphilosophy and commitment to internal control. These standards cover controls such as human\ncapital practices, supervisory reviews, and segregation of duties, policies, procedures, and\nmonitoring.\n\n06-04 Recommendations\n\nWe recommend that the Acting CFO and Acting ASM, with input from the Directors of AIC,\nSPPM and OPB, as appropriate:\n\n1.\t Recruit experienced accounting staff necessary to assist in the performance of day-to-day\n    activities of AIC (see finding 06-01, Succession Planning, for additional recommendations).\n\n2.\t Establish new or improve existing policies and procedures to ensure that:\n\n    i.\t Interim consolidated financial statements are prepared to include all disclosures, including\n        the adoption of new accounting standards and restatements (if any) of prior year\n        consolidated financial statements, and are addressed early each fiscal year, no later than the\n\n\n\n\n                                                 14 \n\n\x0c        third quarter, to give management and the auditors adequate time to review changes before\n        year-end;\n    ii.\t Documentation exists to support all new and/or unique accounting and reporting\n         requirements as well as non-routine or complex accounting and reporting matters. This\n         documentation should include a review of the documentation by responsible officials within\n         AIC. For example, any new financial statement footnote disclosures to be developed should\n         include a policy memo, financial statement footnote disclosure format as well as evidence\n         of review by responsible officials within AIC of both the policy as well as the format to be\n         followed.\n\n    iii. Adequate reviews are \tconducted by senior AIC officials on all audit-requested\n         documentation to ensure that the documents and information being provided are accurate\n         and complete.\n\n    iv. Quality control reviews are performed on interim and consolidated financial statements as\n        well as the respective sections of the PAR by responsible officials prior to submission to\n        auditors to ensure that all errors and inconsistencies are corrected prior to submission to the\n        auditors.\n\nManagement Response\n\nAs mentioned in our response to finding 06-01, succession planning, budget constraints for fiscal\nyears 2007 and 2008 will likely prohibit the opportunity for recruiting additional experienced\naccounting staff. However, the Department will take actions to develop policies and procedures to\nensure full disclosure in interim financial statements. Internal guidance will be developed to ensure\nnew reporting requirements and audit-requested documentation will receive proper management\nreview prior to being provided to the auditors, and likewise to ensure that all requested\ndocumentation is provided in accordance with agreed-upon schedules.\n\nDuring FY 2007, the Department will update its papers documenting unique accounting and\nreporting requirements and unusual or complex accounting/reporting matters. We will also expand\nour formal review procedures to ensure that all components of the PAR are reviewed by responsible\nofficials prior to submission to the auditors.\n\n06-05: OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control\n\nOMB Circular No. A-123 Revised, Management Accountability and Control (A-123), issued\nDecember 2004, and effective for implementation in FY 06, requires agencies to (1) develop and\nimplement management controls; (2) assess the adequacy of management controls; (3) identify\nneeded improvements; (4) take corresponding corrective actions; and (5) report annually on\nmanagement controls (commonly known as management\xe2\x80\x99s Federal Manager\xe2\x80\x99s Financial Integrity\nAct (FMFIA) report). A-123 provides the guidance for agencies to implement the FMFIA and\napplies to all Federal agencies. Appendix A, Internal Control over Financial Reporting\n\n\n\n\n                                                  15 \n\n\x0cImplementation Guide from A-123 requires management\xe2\x80\x99s evaluation of the internal controls over\nfinancial reporting (ICOFR), and separate assurance statements on the operating effectiveness of the\nICOFR by 24 CFO Act agencies. Agencies are to use the Standards for Internal Control in the\nFederal Government (the Green Book) to evaluate the three objectives of internal control which are\nto ensure (1) the effectiveness and efficiency of operations; (2) reliability of financial reporting; (3)\ncompliance with applicable laws and regulations.\n\nDuring FY 06, the Department significantly enhanced its FMFIA assessment policies and\nprocedures to be conducted by its components. The AIC, in response to A-123 Appendix A,\nprepared the Department\xe2\x80\x99s Methodology and Implementation Plan, which provided a clear,\norganized implementation strategy with well-defined documentation processes and requirements for\nTreasury components. Components used this guidance to assess the adequacy of controls over\nselected financial reporting processes identified as key by the Department.\nWhile we noted that the Department had undertaken the steps needed to meet the minimum\nthreshold for general compliance with A-123 requirements, further improvements are needed in\nvarious areas as identified during our limited review of the A-123 work undertaken by the\nDepartment and its components.\n\nImplementation Procedures\n\n\xe2\x80\xa2\t Components are responsible for conducting the A-123 related work and to report on\n   management controls once AIC has approved the transaction testing plans for the respective\n   component. There is limited involvement by AIC staff once testing plans are approved, other\n   than the review conducted on the interim and final FMFIA and A-123 assurance statements\n   provided by the respective components in support of the overall Departmental level assurance.\n   Consequently, there is no centralized review of any of the work done by components to assess\n   whether the testing plans and other A-123 Methodology and Implementation Plan requirements\n   have been followed.\n\n    A centralized review will help in identifying issues early and assist the AIC in evaluating\n    whether A-123 assessments are based on verifiable results.\n\n\xe2\x80\xa2\t Several instances were noted whereby A-123 required steps for the components/offices which\n   we selected for limited review were not conducted as required, or were omitted in their entirety\n   due to various reasons, or the required steps were conducted, but were not appropriately\n   documented by the respective components/offices:\n\n    -   Three of six components/offices did not develop test plans and related results in accordance\n        with the guidelines provided by the Department\xe2\x80\x99s Methodology and Implementation Plan.\n        For example, details of the scope of the test, expected results, and results of testing were not\n        documented in accordance with the required format. Therefore, it was unclear without\n        significant explanation from component entity staff, what the components\xe2\x80\x99 processes and\n        results were.\n\n\n\n\n                                                   16 \n\n\x0c   -   One of six components/offices did not have its test plans approved in accordance with the\n       guidelines provided by the Department\xe2\x80\x99s Methodology and Implementation Plan.\n\n   -   Four of six components/offices did not conduct tests over the controls to compile,\n       consolidate, assemble, and distribute their financial statements and other financial reports.\n       The Department\xe2\x80\x99s Methodology and Implementation Plan requires components to\n       specifically address (1) elimination procedures and controls in place to ensure that financial\n       statement preparation is controlled and footnotes and other supplemental information is\n       complete and accurate, and (2) TIER transmissions to the Department are complete and\n       accurate. Although components have controls in place to compile, consolidate, assemble,\n       and distribute their financial statements and other financial reports, the testing of these\n       controls had not been formally documented as required by the Department\xe2\x80\x99s Methodology\n       and Implementation Plan.\n\n   -   Two of six components/offices provided no evidence of review of the status of corrective\n       actions developed in response to audits that directly affect financial reporting, except for a\n       statement that they conducted the review. According to the Department\xe2\x80\x99s Methodology and\n       Implementation Plan, each component is to review the status of corrective actions\n       developed in response to audits that directly affect financial reporting. The review should\n       consider whether corrective actions are on schedule, their degree of impact on the controls\n       over financial reporting, and the impact of corrective actions planned or taken, to the total\n       financial reporting control environment. Bureaus and offices are to document the\n       completion of these actions as part of the total assessment methodology.\n\n   -   Three of six components/offices provided no evidence of review of testing of compliance\n       with governing regulations. According to the Department\xe2\x80\x99s Methodology and\n       Implementation Plan, each component entity is to review their compliance with governing\n       regulations, as necessary. Some components made references to prior year external audit\n       results on compliance with laws and regulations, instead of actually identifying and testing\n       the laws and regulations that apply.\n\n   -   Five of six components/offices did not test Information Technology (IT)-related controls.\n       We were informed by AIC that review and testing of IT controls were not required to be\n       conducted since Treasury management expected to rely on the procedures already in place\n       by components to evaluate general and application systems and related controls to comply\n       with the Federal Financial Management Improvement Act of 1996, and the Federal\n       Information Security Management Act of 2002.\n\nThe above issues revealed a need for improvement by components in the conduct of A-123 testing\nand related documentation.\n\n\n\n\n                                                17 \n\n\x0cTransactions Testing\n\n\xe2\x80\xa2\t For one of six components/offices tested, the component:\n\n    -   Performed testing over summary transactions in the general ledger and did not trace\n        transactions to source documents or systems, which are maintained by other entities or\n        related offices.\n\n    -   Did not test material components of expense and balance sheet line items, and also did not\n        test certain material balances even though material transaction activity had occurred during\n        the course of the year. This occurred because the transactions and balances to be tested are\n        determined by AIC at the Departmental level based on pre-set materiality thresholds.\n\n\xe2\x80\xa2\t For three of six components/offices of test work documentation reviewed documentation of the\n   source of the population and the sample selection processes followed were insufficient.\n\nReporting\n\n\xe2\x80\xa2\t A number of the components/offices did not follow the A-123 assurance assessment format\n   provided by the Department, and there was no follow-up by the AIC to require that the format\n   was followed. As a result, key phrases needed to assert assurance were not included in the\n   assurance statement.\n\n\xe2\x80\xa2\t The Department did not consider certain material weaknesses in internal control over financial\n   reporting as weaknesses affecting the overall assurance level at the Departmental level.\n\n   The Secretary\xe2\x80\x99s Letter of Assurance for FY 06 reports that it is only the IRS\xe2\x80\x99 revenue\n   accounting system weakness that affected Treasury\xe2\x80\x99s overall assurance level for internal\n   controls over financial reporting. Other material weaknesses identified such as reducing\n   overclaims in the Earned Income Tax Credit program, and improving system security controls\n   cited in the FY 06 assurance letter also meet the definition of a weakness in internal control over\n   financial reporting and as such, should also have been included as weaknesses affecting the\n   overall assurance level for internal controls over financial reporting.\n\nFMFIA requires Federal agencies to establish internal accounting and administrative controls to:\n(1) ensure that obligations and costs comply with applicable law; (2) assets are safeguarded against\nwaste, loss, unauthorized use or misappropriation; and (3) revenues and expenditures are properly\nrecorded and accounted for. Further, the Act directs the head of each agency to evaluate such\ncontrols annually and to submit to Congress and the President either a statement that the controls\nare adequate or a report on any weaknesses in such controls with a schedule for corrective\nmeasures. The issuance of A-123 provided further guidance to agency management for evaluation\nof the internal controls over financial reporting in support of its annual FMFIA assurance statement.\n\n\n\n\n                                                 18 \n\n\x0cThe recurrence of the issues discussed above may ultimately result in A-123 evaluations by\ncomponents that are not supported by verifiable results since appropriate procedures were not\ndocumented as required or not conducted.\n\n06-05 Recommendations\n\nWe recommend that the Acting CFO, with input from the Director of AIC, as appropriate:\n\n1.\t Designate a responsible official within AIC to review the A-123 work being conducted by\n    components to ensure that the Department\xe2\x80\x99s A-123 guidance is complied with.\n\n2.\t Consider the use of a checklist to facilitate review of key requirements when reviewing A-123\n    documentation provided by components, and specifically include reviews of the areas needing\n    improvement as discussed above.\n\n3.\t Communicate the deficiencies identified during the FY 06 A-123 testing, as discussed above, to\n    all components, and conduct follow-up to ensure that these deficiencies have been addressed, as\n    necessary, during FY 07 A-123 testing.\n\n4.\t Develop and implement procedures to require testing of the IT systems and related controls\n    supporting the financial reporting processes, as well as applicable laws and regulations.\n\n5.\t Revise existing procedures to identify and include control testing of all significant transactions,\n    including those that are either generated by other entities or resident in related offices (for\n    example, transactions processed for Treasury bureaus by the Federal Reserve Banks).\n\n6.\t Develop an interim assurance letter for purposes of early review for concurrence on conclusions\n    by all responsible officials so as to eliminate any future reporting deficiencies.\n\nManagement Response\n\nAIC has a responsible official to review the A-123 work conducted by Treasury\xe2\x80\x99s components to\nensure that the Department\xe2\x80\x99s A-123 guidance is complied with. All test plans submitted by the\nmaterial components for FY 2006 were reviewed using the required outline prescribed in the A-123\nMethodology and Implementation Plan. The level of compliance and final results of testing, which\nwas prescribed to be conducted at the transaction level, was communicated to the AIC in the same\nmanner as the results of the annual assurance statement process for FMFIA and FFMIA (e.g., as a\ndraft and as a final assurance statement).\n\nThe AIC simply does not have on-board resources sufficient to review all of the work that was\nperformed in the bureau and offices. The A-123 testing performed in FY 2006 spanned 12 bureaus\nand offices that utilized approximately 45 in-house resources and 12 contract resources to conduct\nand document the testing, while the AIC has two resources to review all of their collective efforts.\nFurther, these two AIC resources cannot be 100% dedicated to A-123 due to other demands and\n\n\n\n\n                                                  19 \n\n\x0cexpectations placed on the AIC. Thus, primary responsibility must be placed upon the testing\nbureaus and offices to complete the testing and assessment for A-123, Appendix A, in accordance\nwith the guidance issued. However, we will explore using existing accounting branch staff to assist\nthe internal control staff in reviewing bureau work on a test basis.\n\nDuring the update to the A-123, Appendix A guidance for FY 2007, more explicit reporting and\ndocumentation requirements have been placed upon the bureaus and offices, and specific IT-\ncontrols have been identified and added to the Treasury Catalogue of Risks and Controls.\n\nWe will review our existing procedures with the goal of identifying significant transactions that are\ngenerated or resident in other offices so that we can consider additional testing that may be\nnecessary and identify resources required to perform any additional testing in FY 2008.\n\nWe currently receive interim assurance information from the bureaus on the financial reporting\naspect of Circular A-123 as of June 30, and receive complete draft assurance statements in early\nSeptember. We will continue to follow this practice and enhance it by summarizing the proposed\nA-123 Appendix A reporting for review and discussion well before fiscal year end.\n\n06-06: Intragovernmental Transactions and Activities\n\nThe Department conducts business with other Federal agencies resulting in intragovernmental\nreceivables, payables, and the reporting of revenues and expenses from intragovernmental\ntransactions. Federal accounting and reporting regulations require Federal agencies to routinely\nidentify and reconcile intragovernmental balances and transactions with trading partners. These\nprocedures help ensure that intragovernmental balances properly eliminate in the government-wide\nconsolidated financial statements. AIC is responsible for the issuance of policy and procedures,\ncoordinating the reconciliation of intragovernmental transactions at the Department level in\nconjunction with Treasury components. While the Department conducted the work required on\nintragovernmental transactions and balances differences with partner agencies in compliance with\nthe requirements of the Treasury Federal Intragovernmental Transactions Accounting Policies\nGuide, dated August 18, 2006 (TFITAPG) to the extent possible, we believe that the Department\ncan further improve the resolution of any remaining unresolved differences by meeting with\nresponsible officials from the partner agency rather than through e-mail communications.\n\nThe TFITAPG states that OMB Circular No. A-136, requires Federal CFO Act and non-CFO Act\nentities identified in the Treasury Financial Manual 2006, Vol. I, Part 2-Chapter 4700, Agency\nReporting Requirements for the Financial Report of the United States Government, perform\nquarterly reconciliations of intragovernmental activity/balances and resolve differences as\nnecessary.\nTreasury Financial Manual Bulletin No. 2007-03, Intragovernmental Business Rules, dated\nNovember 15, 2006, and effective for FY 07, provides further guidance to Federal agencies for\nstandardizing the processing and recording of intragovernmental activities, and also provides\nguidance on resolving intragovernmental disputes and major differences.\n\n\n\n\n                                                 20 \n\n\x0cReconciling trading partner activity and balances and resolving unknown or contentious differences\nat least quarterly is necessary to identify the reasons for any material out-of-balance conditions\nbetween Federal entities on a timely basis.\n\n06-06 Recommendation\n\nWe recommend that the Acting CFO, with input from the Director of AIC, as appropriate, revise\nexisting resolution procedures both at the Departmental and component levels to require meeting\ndirectly with responsible officials from the partner agency for any intragovernmental differences\nthat are considered unknown and/or contentious so that such differences are resolved in a timely\nfashion. If necessary, OMB officials should be requested to be involved as a mediator.\n\nManagement Response\n\nAIC is drafting the Department\xe2\x80\x99s intragovernmental transaction procedures to emphasize\ncompliance with FMS Business Rules, using Treasury intragovernmental elimination reports for\nbureau accounting and monitoring, establishing and updating executive agency intragovernmental\ntransaction points of contact, and resolving intragovernmental transaction differences via periodic\nmeetings with partner agencies. If necessary, we will seek OMB mediation of differences we are\nunable to resolve with other agencies.\n\n06-07: Performance Measures\n\nAgencies report on their annual performance in their PAR utilizing performance measures. OMB\nCircular No. A-136 requires Federal agencies to discuss their key performance measures in the\nManagement\xe2\x80\x99s Discussion and Analysis (MD&A) section of their PAR.\n\nTreasury issues an annual report titled \xe2\x80\x9cFull Report of Treasury\xe2\x80\x99s FY 06 Performance Measures by\nFocus and Strategic Goal\xe2\x80\x9d (Report) which is attached as an Appendix to the PAR. The\nDepartment\xe2\x80\x99s SPPM within the OPB is responsible for the preparation of the Department\xe2\x80\x99s annual\nreport on performance measures as well as the monitoring of component-submitted performance\ninformation. The components submit performance information to Treasury\xe2\x80\x99s Performance\nReporting System (PRS) that tracks components\xe2\x80\x99 progress in achieving their performance\nobjectives. Specifically, the system primarily tracks progress against current year performance\ntargets and prior year\xe2\x80\x99s actual performance levels. Reliability of the performance information in\nPRS is monitored at the component level where internal performance tracking systems are\nmaintained. Each component has an assigned official that is responsible for: (1) ensuring that the\ninformation for their assigned component was entered into the PRS; and (2) that the information\nthat is entered into the system can be validated. In addition, SPPM staff (or the component) ensures\nthat the information submitted relating to the performance measures matches/relates to the original\nbudget submission.\n\n\n\n\n                                                21 \n\n\x0cWhile SPPM\xe2\x80\x99s process for monitoring performance measures appears appropriate, certain\nimprovements are needed with respect to the processes reviewed, and the documentation maintained\nas evidence of the reviews conducted. For example, we were unable to determine whether the\nquarterly monitoring procedures were conducted as described by SPPM staff as there was no\ndocumentation retained to evidence the work that was conducted.\n\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government requires that management clearly\ndocument internal control and all transactions and other significant events, and ensure that the\ndocumentation is readily available for examination. The documentation should appear in\nmanagement directives, administrative policies, or operating manuals and may be in paper or\nelectronic form. All documentation and records should be properly managed and maintained.\n\n06-07 Recommendations\n\nWe recommend that the Acting ASM, with input from the Directors of SPPM and OPB, as\nappropriate:\n\n1. \t Develop procedures to match performance measures reported in the PAR to that in the PRS and\n     inquire into the reasons for any discrepancies, document explanations, and retain supporting\n     documentation as necessary.\n\n2.\t Select a sample of performance measures from each component, and request appropriate\n    documentation supporting the existence and completeness of these performance measures.\n\n3.\t Require retention of all documentation used in the monitoring of the performance measures to\n    serve as evidence of review, and for reference purposes, should questions arise at a later date.\n\nManagement Response\n\nAlthough not all measures used in the PAR have to be in the Performance Reporting System, such\nas enforcement revenue, the Department agrees with the recommendations and will develop\nappropriate actions to address each recommendation.\n\n06-08: Deferred Maintenance\n\nSFFAS No. 6, Accounting for Property, Plant and Equipment, describes deferred maintenance as\nmaintenance (needed to return each major class of asset to its acceptable operating condition) that\nwas not performed when it should have been or was scheduled to be, and which is put off or\ndelayed for a future period. SFFAS No. 14, Amendments to Deferred Maintenance Reporting,\nrequires that deferred maintenance information be included as required supplementary information\nin the consolidated financial statements.\n\n\n\n\n                                                22 \n\n\x0cThe AIC is responsible for accumulating and reporting deferred maintenance information on a\nDepartment-wide basis. However, the deferred maintenance information that was provided to us to\nsupport the information reported as Required Supplementary Information in the Department\xe2\x80\x99s FY\n06 consolidated financial statements was inadequate due to the lack of a comprehensive policy at\nthe Department level.\n\nLack of a process to identify deferred maintenance may allow assets to deteriorate at a rate faster\nthan if they were maintained well and not allow adequate funds to be identified in the budget\nprocess for the necessary maintenance or replacement of assets, which will ultimately adversely\naffect Treasury\xe2\x80\x99s ability to accomplish the mission for these assets. In addition, this situation may\nalso cause inadequate or incomplete information to be disclosed in the Department\xe2\x80\x99s consolidated\nfinancial statements.\n\n06-08 Recommendation\n\nWe recommend that the Acting CFO, with input from the Director of AIC, as appropriate, develop\nand implement policies and procedures for the identification and monitoring of deferred\nmaintenance on a Department-wide basis. This policy and its implementation should be coordinated\nwith Treasury components.\n\nManagement Response\n\nThe Office of Accounting and Internal Control, coordinating with the Office of Asset Management,\nwill work with the bureaus to develop Departmental policies and procedures for the identification\nand monitoring of deferred maintenance. These policies and procedures will be implemented\nduring FY 2007 to ensure complete documentation for the required deferred maintenance\ndisclosures.\n\n06-09: Backup Tapes for the TIER System and CFO Vision Production Servers (Repeat\n       Comment)\n\nThe Treasury Information Executive Repository (TIER) and the CFO Vision applications, including\nthe supporting information technology infrastructures for both systems, were recently moved to the\nQwest Cyber Center in Sterling, VA. Within the Cyber Center, the supporting infrastructure for\neach of these applications is housed in a four-sided gated off area, known as the Security Extranet\nGateway (SEG) cage. This area is physically secure and accessible only by authorized individuals.\n\nThe Qwest Cyber Center was noted as having adequate controls in place to ensure the timely and\nconsistent archiving of critical data related to the TIER and CFO Vision applications, including\ndaily and weekly full and incremental backups of data. In order to ensure that backup media is\nphysically and environmentally protected, including maintaining backup media at a location that is\ngeographically separated from the primary site, Qwest has recently entered into contract with the\nIron Mountain Corporation, an organization that provides information and record management, to\n\n\n\n\n                                                 23 \n\n\x0cprovide long-term offsite storage for backup media for all of their managed systems, including the\nTIER and CFO Vision application.\n\nOn a regular basis, Iron Mountain arrives at Qwest to rotate backup media related to TIER and CFO\nVision on and off site. However, we noted onsite data back-up tapes for the TIER and CFO Vision\nfinancial systems are not stored in an environmentally secure and stable location within the Qwest\nCyber Center prior to being rotated offsite to Iron Mountain. If data back-up tapes are not being\nstored in an environmentally secure and stable environment during all stages of the rotation cycle,\nthere is a risk that the most current data will not be recovered in the event of a disaster.\n\nThe National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally\nAccepted Principles and Practices for Security Information Technology, recommends that back-up\ntapes should be stored security and that measures should be established to physically and\nenvironmentally protect the archives data.\n\n06-09 Recommendation\n\nWe recommend that the Acting CFO, with input from the Director of the Office of Financial\nSystems Integration (FSI) instruct the Qwest Cyber Center to store TIER and CFO Vision data\nback-up tapes in an environmentally secure and stable environment prior to being rotated offsite for\nlong-term storage with Iron Mountain.\n\nManagement Response\n\nA fireproof storage box was purchased and installed at the Qwest Cyber Center in Sterling, VA.\nEffective December 19, 2006, Qwest began storing backup tapes for TIER and CFO Vision in this\nstorage box, while waiting for pickup by the Iron Mountain Corporation. We think we have\neffectively addressed this recommendation.\n\n06-10: \tContinuity of Operations Plan and Disaster Recovery Procedures for TIER and CFO\n        Vision (Repeat Comment)\n\nIn FY 05, it was noted that a Continuity of Operations Plan (COOP) and a Disaster Recover Plan\n(DRP) for the TIER and CFO Vision applications had not been implemented. Specifically, the\nDepartment was unable to fund the development of a COOP or DRP for the TIER and CFO Vision\napplications during the fiscal year due to monetary constrains.\n\nIn FY 06, the Department established a Contingency Plan for the IT environment at the\nDepartment\xe2\x80\x99s Headquarters, including the DO LAN. Additionally, the Department implemented\nthe Assistant Secretary for Management (ASM)/COOP, which provided guidance, requirements,\nand procedures for the continuance of the Department\xe2\x80\x99s essential functions in the event of an\nemergency. While both the TIER and CFO Vision applications have been identified in this\n\n\n\n\n                                                24 \n\n\x0cdocument, it does not identify or specify IT specific recovery requirements or procedures for the\ninfrastructure that support each system.\n\nIn addition, TIER and the CFO Vision applications, including their supporting information\ntechnology infrastructures, were recently moved to the Qwest Cyber Center in Sterling, VA for\noffsite management. The Qwest Cyber Center has taken several steps to ensure the physical and\nenvironmental security, as well as the continuance of operations, for the systems Qwest has been\ncontracted to manage. However, neither Qwest, nor the Department, have implemented a DRP at\nthe Cyber Center for the TIER and CFO Vision applications.\n\nShould a disaster occur without a documented DRP for TIER and CFO Vision, Treasury\xe2\x80\x99s Office of\nthe DCFO\xe2\x80\x99s ability to restore operations and continue its business operations related to these\nsystems may be significantly delayed.\n\nNIST Special Publication 800-34, Contingency Planning Guide for Information Technology\nSystems, states that \xe2\x80\x9cInformation technology (IT) and automated information systems are vital\nelements in most business processes. Because these IT resources are so essential to an\norganization\xe2\x80\x99s success, it is critical that the services provided by these systems are able to operate\neffectively without excessive interruption. Contingency planning supports this requirement by\nestablishing thorough plans and procedures and technical measures that can enable a system to be\nrecovered quickly and effectively following a service disruption or disaster. NIST Special\nPublication 800-34 also states that \xe2\x80\x9cIT systems are vulnerable to a variety of disruptions, ranging\nfrom mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction,\nfire). Many vulnerabilities may be minimized or eliminated through technical, management, or\noperational solutions as part of the organization\xe2\x80\x99s risk management effort; however, it is virtually\nimpossible to completely eliminate all risks. Contingency planning is designed to mitigate the risk\nof system and service unavailability by focusing effective and efficient recovery solutions.\xe2\x80\x9d\n\nNIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook\n(Chapter 11) guide states that \xe2\x80\x9cContingency planning directly supports an organization\xe2\x80\x99s goal of\ncontinued operations. Organizations practice contingency planning because it makes good business\nsense. To avert potential contingencies and disasters or minimize the damage they cause\norganizations can take steps early to control the event. Generally called contingency planning, this\nactivity is closely related to incident handling, which primarily addresses malicious technical threats\nsuch as hackers and viruses. Contingency planning involves more than planning for a move offsite\nafter a disaster destroys a data center. It also addresses how to keep an organization\xe2\x80\x99s critical\nfunctions operating in the event of disruptions, both large and small. This broader perspective on\ncontingency planning is based on the distribution of computer support throughout an organization.\n\nOMB Circular No. A-130, Security of Federal Automated Information Systems, Appendix III (A\n130) requires that a contingency plan be developed, documented, and tested to assure that users of\nthe system can continue to perform essential functions in the event the information technology\nsupport for their application is interrupted. The plan should also be consistent with the agency-wide\n\n\n\n\n                                                  25 \n\n\x0cDRP. A-130 further requires that agencies establish policies and assign responsibilities to assure\nthat appropriate contingency plans are developed and maintained by end users of information\ntechnology applications. The intent of such plans is to assure that users continue to perform\nessential functions in the event their information technology support is interrupted. Such plans\nshould be consistent with disaster recovery and continuity of operations plans maintained by the\ninstallation at which the application is processed.\n\n06-10 Recommendation\n\nWe recommend that the Acting CFO, with input from the Director of FSI instruct the Qwest Cyber\nCenter, to develop a DRP for the TIER and CFO Vision financial systems in accordance with the\nguidance outlined in NIST Special Publication 800-34.\n\nManagement Response\n\nThe OCIO strategic plan was to leverage the hosting services requirements of the Treasury\nCommunication Enterprise (TCE) procurement to obtain both primary and backup hosting site\nservices. On December 21, 2006, the TCE procurement was cancelled.\n\nThe cancellation will result in Treasury adopting the General Service Administration NETWORX\nContracts which includes hosting. Since GSA is currently scheduled to award these contracts in the\nthird quarter of FY 2007, specific Treasury hosting plans will be framed in the fourth quarter of FY\n2007. It is envisioned a strategic COOP/DR plan will be drafted in the third quarter with a budget\nestimate for the hosting services in fourth quarter.\n\nUntil the final resolution and implementation of the GSA NETWORX contract at Treasury, the\nDepartment will evaluate interim disaster recovery solutions for the FARS applications, including\nTIER and CFO Vision.\n\n06-11: Segregation of Duties\n\nTIER was implemented as a result of the OMB\xe2\x80\x99s request for high-risk agencies to create a\nrepository for standardized data. TIER is an Oracle database management system and a system of\nrecord where individual Treasury components submit monthly financial data and serves as a\nrepository for this information. Once data is received from a component, TIER runs a series of tests\nagainst it to ensure that the data is valid. It checks for such things as appropriate SGL account and\nBudget Object Codes, as well as ensuring that no letters are entered in a data field where numbers\nare required. Once these validations are complete, the data is sent to the repository area within\nTIER. In 1995, the application was expanded to include all of Treasury components for the purpose\nof producing the Department\xe2\x80\x99s consolidated financial statements. In March 2002, TIER was web-\nenabled for faster and easier access by the bureaus.\n\n\n\n\n                                                 26 \n\n\x0cTIER was developed, and is currently being maintained by Aspex, Inc., a contractor. During\nfieldwork, it was noted that systems administration duties in the TIER system have not been\nproperly segregated between Treasury employees and the Aspex, Inc. contractors. Specifically,\nfour Aspex, Inc. contractors with application developer responsibilities have also been granted\nTIER production system administration rights. We noted that, in addition to these four individuals,\nthere are currently three (3) full-time Treasury employees with this level of access. The four\ncontractors were assigned this level of access as a back-up in the event that the three primary\nadministrators are not available.\n\nNIST Special Publication 800-53, Recommended Controls for Federal Information Systems states\nthat \xe2\x80\x9cThe organization establishes appropriate divisions of responsibility and separates duties as\nneeded to eliminate conflicts of interest in the responsibilities and duties of individuals. There is\naccess control software on the information system that prevents users from having all of the\nnecessary authority or information access to perform fraudulent activity without collusion.\nExamples of separation of duties include: (i) mission functions and distinct information system\nsupport functions are divided among different individuals/roles; (ii) different individuals perform\ninformation system support functions (e.g., system management, systems programming, quality\nassurance/testing, configuration management, and network security); and (iii) security.\n\nNIST Special Publication 800-12, Introduction to Computer Security, states that segregation of\nduties is the process by which users\xe2\x80\x99 roles and responsibilities are divided so that a single individual\ncannot subvert a critical process. NIST Special Publication 800-12 also states that users should\nonly be granted access to functions necessary to accomplish their assigned responsibilities, thereby\nhelping to maintain the principle of least privilege.\n\nBy allowing multiple individuals to create, modify, or delete TIER accounts, there is an increased\nrisk that these individuals could cause accidental or intentional harm that could threaten the\nintegrity of TIER data.\n\n06-11 Recommendations\n\nWe recommend that the Acting CFO, with input from the Director of FSI either:\n\n1. \t Remove the TIER production system administration rights access from the four (4) application\n     developers and/or reassign the duties to individuals without application development roles; or\n\n2. \tIn the event these roles are not reassigned (as recommended in (1) above), implement a\n    monitoring mechanism to ensure these roles are not used in an inappropriate manner.\n\nManagement Response\n\nEffective July 15, 2006, TIER developers no longer have TIER production systems administration\nrights. This responsibility resides with three Treasury employees in the Office of Financial Systems\n\n\n\n\n                                                  27 \n\n\x0cIntegration. To provide contingency back-up, TIER systems administration rights were granted to\nan InfoPro contractor, who does not have access to the TIER application for\ndevelopment/maintenance purposes.\n\nIn addition, the Department will develop a control report to record any administrative changes to\nTIER for subsequent review by Treasury management.\n\nAs a result of the above, we have determined the requested correction actions have already been\ncompleted.\n\n06-12: User Account Passwords\n\nLogical access controls implemented within the TIER application were reviewed to determine\ncompliance with Treasury-specific IT policy and Federal government guidance. As a result of our\nreview we noted that Aspex, Inc., the Application Systems Support Contractors used by DCFO to\nimplement and manage the TIER application, was not made aware of access controls requirements\nin the Treasury Information Technology Security Program TD P 85-01 Volume 1 policies (TD P\n85-01) when developing the application. Specifically, we noted two access controls were not\nproperly implemented in the TIER application based on the guidance outlined in TD P 85-01\nVolume 1 as follows.\n\n\xe2\x80\xa2\t Currently, TIER user account passwords are set to expire after 180 days. Should a user account\n   password remain unchanged for a long period of time, there is increased risk that the user\n   account could become compromised by an individual with malicious intent. Depending on the\n   level of access assigned to a compromised account, this issue could potentially lead to\n   alterations in the functionality of the application or the data contained within.\n\n\xe2\x80\xa2\t A user session timeout has not been implemented in TIER. Allowing user sessions in TIER to\n   remain active for lengthy periods of time creates the risk of malicious individuals hijacking user\n   sessions and potentially altering the integrity of the data within the system.\n\nDuring the course of the audit, this issue was brought to the attention of Treasury DCFO\nmanagement. Corrective actions were undertaken by establishing a 90-day password expiration on\nall TIER user accounts. Evidence was provided to us to verify the implementation of this new\nconfiguration.\n\nTD P 85-01 Volume 1 Policy Part 1, Sensitive Systems states that \xe2\x80\x9cBureaus shall ensure that\npasswords are changed at least every 90 days.\xe2\x80\x9d\n\nNIST Special Publication 800-53, Recommended Controls for Federal Information Systems states\nthat \xe2\x80\x9cFor password-based authentication, the information system: (i) protects passwords from\nunauthorized disclosure and modification when stored and transmitted; (ii) prohibits passwords\n\n\n\n\n                                                 28 \n\n\x0cfrom being displayed when entered; (iii) enforces password minimum and maximum lifetime\nrestrictions; and (iv) prohibits password reuse for a specified number of generations.\xe2\x80\x9d\nTD P 85-01 Volume 1 Policy Part 1, Sensitive Systems states that \xe2\x80\x9cBureaus shall implement and\nenforce threshold limits for the amount of time a session is inactive before the session timeout\nfeature is invoked.\xe2\x80\x9d\n\nNIST Special Publication 800-53 also states that \xe2\x80\x9cThe information system also activates session\nlock mechanisms automatically after a specified period of inactivity defined by the organization. A\nsession lock is not a substitute for logging out of the information system.\xe2\x80\x9d\n\n06-12 Recommendation\n\nWe recommend that the Acting CFO, with input from the Director of FSI require the addition of a\nfunctionality to the TIER application that will automatically invoke a session timeout after an\nextended period of time as required by TD P 85-01.\n\nManagement Response\n\nAs part of an upcoming system upgrade to TIER, the application will be modified to invoke a\ntimeout after the system is idled for an extended period of time. These requirements will be\nconsistent with Federal and Treasury policies and procedures.\n\n06-13: User Accounts\n\nThe Departmental Offices Local Area Network Operational and Technical Controls manual is not\nbeing completely adhered to when initiating the removal of a user account from the Departmental\nOffices (DO) Local Area Network (LAN) following an employee termination. Specifically, of the\ntwenty (20) terminated full-time employees and contractors selected for review, the user account\nbelonging to one (1) individual, who was terminated on July 21, 2006, was still active on the DO\nLAN as of September 1, 2006. When the employee left Treasury, an entry was initiated in the\nEmployee Entry Exit (EEE) system; however, this entry was not saved and later followed up on\nwhen the individual left the premises. As a result, the user account was never disabled or deleted.\n\nDuring the course of the audit, this issue was brought to the attention of FSI management.\nCorrective actions were undertaken by disabling this user account on the DO-LAN. Information\nwas provided to us to verify the disabling of this account.\n\nThe Departmental Offices\xe2\x80\x99 Local Area Network Operational and Technical Controls Manual\noutlines procedures to be followed by the Help desk for the disabling of all user accounts on DO\nowned system, including the DO LAN. These procedures state that \xe2\x80\x9cterminating a user account is\nan automated process via the Employee, Entrance and Exit (Triple EEE) program. The program\nautomatically generates a ticket to disable any pending invalid user accounts.\xe2\x80\x9d\n\n\n\n\n                                                29 \n\n\x0cNIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook\nstates that \xe2\x80\x9cFrom time to time, it is necessary to review user account management on a system.\nWithin the area of user access issues, such reviews may examine the levels of access each\nindividual has, conformity with the concept of least privilege, whether all accounts are still active,\nwhether management authorizations are up-to-date, whether required training has been completed\nand so forth.\xe2\x80\x9d\n\nA-130 requires Federal agencies to incorporate personnel-related security controls to ensure the\nscreening of individuals who are authorized to bypass significant technical and operational security\ncontrols of the system commensurate with the risk and magnitude of harm they could cause. This is\nextremely important when employees leave an organization, as they may be in a position to cause\nsevere harm to the organization\xe2\x80\x99s systems after they leave if their system access is not promptly\nterminated. The Circular requires that agencies ensure that information is protected commensurate\nwith the risk and magnitude of the harm that would result from the loss, misuse, or unauthorized\naccess to or modification of such information (least privilege).\n\nBy not having an efficient mechanism by which the DO-LAN manager is made aware of terminated\nemployees, the Department\xe2\x80\x99s data processing environment could be significantly impacted by a\nterminated employee that maintains unauthorized access.\n\nFurthermore, should a separated employee\xe2\x80\x99s DO-LAN user account not be timely removed, the\nseparated employee or another person with malicious intent and knowledge of this active user\naccount could use this account to alter the integrity of the system.\n\n06-13 Recommendation\n\nWe recommend that the Acting CFO, with input from the Director of FSI continue to ensure that\nprocedures established for the timely removal of user accounts belonging to former employees and\ncontractors are followed.\n\nManagement Response\n\nStrengthening the management of system user accounts is being resolved by additional near term\nand long term business process improvements. Tools to assist in this function being developed\ninclude:\n\n    1.\t     Electronic Notification: The Departmental Office (DO) Employee Entry Exit (EEE)\n            system has a feature which provides email notification to key DO system administrators\n            that LAN Access Accounts for just (or in-process) separated Federal or contractor\n            personnel are to be de-activated. Such an email notification will be provided to the\n            DCFO office.\n\n\n\n\n                                                 30 \n\n\x0c2.\t   End User Manager Re-certification: On at least an annual basis, the DCFO system\n      administrator will complete a client account recertification process. The process entails\n      forwarding to client organization managers a list of those client personnel needing\n      system access privileges. The manager shall validate that organizations current\n      personnel still needing access, and annotating those who through role change or\n      reassignment no longer merit access privileges. This procedure would be performed\n      outside the realm of EEE.\n\n3.\t   Aged Open Personnel Separations: The EEE system will have an exception\n      notification feature that notifies DO Office administrators or action initiators that an\n      employee separation created in EEE is not recorded as closed in EEE and follow-up\n      action is needed. The notification may be through a report and/or email notification.\n\n\n\n\n                                           31 \n\n\x0c                                                                                  EXHIBIT 1\n\n                          DEPARTMENT OF THE TREASURY\n                                      Fiscal Year 2006 \n\n                                  Management Letter Report \n\n                     Status of Prior Year Management Letter Comments \n\n\n          Prior Year Recommendations                                  Current Year Status\n\n05-01   Succession Planning Must be Implemented       This comment has not been corrected and is repeated\n        Immediately                                   in the current year as comment # 06-01.\n05-02   Financial Reporting Standards for             This comment has not been corrected and is repeated\n        Department Component Entities Should be       in the current year as comment # 06-02.\n        Consistent\n05-03   The Exchange Stabilization Fund\xe2\x80\x99s Budgetary   This comment has not been corrected and is repeated\n        Accounting Methodology Should be Clarified    in the current year as comment # 06-03.\n05-04   Annual Reconciliation Procedures to the       This comment has been partially corrected and is\n        President\xe2\x80\x99s Budget Should be Improved         repeated in the current year as part of comment\n                                                      # 06-04.\n05-05   A Formal Process Is Needed to Monitor the     This comment has been resolved and closed.\n        Use of Sensitive System Software Utilities\n05-06   Access Controls over the TIER System          This comment has been resolved and closed.\n        Should be Strengthened\n05-07   Configuration Management Processes Over       This comment has been resolved and closed.\n        CFO Vision Need Improvement\n05-08   CFO Vision Access Controls Should be          This comment has been resolved and closed.\n        Strengthened\n05-09   Financial Analysis and Reporting System       This comment has been resolved and closed.\n        (FARS) Access Controls Should be\n        Strengthened\n05-10   Back-up Tapes for the TIER System and CFO     This comment has not been corrected and is repeated\n        Vision Production Servers Should be           in the current year as comment # 06-09.\n        Protected\n05-11   Formal Continuity of Operations Plan and      This comment has not been corrected and is repeated\n        Disaster Recovery Procedures for TIER and     in the current year as comment # 06-10.\n        CFO Vision Should be Established\n\n\n\n\n                                             32 \n\n\x0c'